Using the Target tool
The Target tool gives you an overview of your target application's content and functionality, and lets you drive key parts of your testing workflow. The key steps that are typically involved in using the Target tab are described below.
Manual application mapping
First, map the target application manually. To do this, carry out the following steps:
- Set up your browser and Burp Proxy to work together.
- Turn off Proxy interception, and browse the entire application manually.
- Follow every link, submit every form, step through every multi-stage process, and log in to all protected areas.
This manual mapping process will populate the Target site map with all of the content requested via the Proxy, and also (via live passive crawling) any further content that can be inferred from application responses (via links, forms, etc.). This manual mapping process will build up a fairly complete record in the site map of all the visible application content, and also fully familiarize you with the application.
Note: For some use cases, Burp's automated crawler is superior to manual application mapping, because it captures the navigational paths through the application in a way that lets Burp Scanner automatically maintain session when auditing the application. Manual mapping, on the other hand, allows a human user to guide the process, avoiding potentially dangerous functionality, and verifying that navigational actions have the expected results. The choice of manual versus automated mapping very much depends on the nature of the application and your intended use of the results.
Defining Target scope
When the initial application mapping is completed, this is a good time to define your Target scope, by selecting branches within the site map and using the "Add to scope" / "Remove from scope" commands on the context menu. You can then configure suitable display filters on the site map and Proxy history, to hide from view items that you are not currently interested in.
Reviewing unrequested items
Review the site map for any items in your target that have been detected via live passive crawling but have not yet been requested. These items are shown in gray in the site map. You can also quickly locate unrequested items by selecting the whole application in the tree view, and sorting the table view on the "Time requested" column (by clicking the column header) - unrequested items will then be grouped together. You should manually review these items (for example, by copying each URL into your browser) to confirm whether they contain any further interesting content.
Discovering hidden content
Having mapped all of the application's visible content (i.e. that which can be observed by browsing the application and following all links), you can optionally carry out some automated actions to identify further "hidden" content that is not linked from visible content:
- You can select folders in the site map and use Burp's content discovery function to try to guess further items.
- You can send items in the site map to Burp Intruder to carry out customized content discovery.
Analyzing the attack surface
When you are satisfied that you have mapped all of the application's content and functionality, you should review the contents of the site map (together with the Proxy history) to understand the attack surface that the application exposes. You can use the following site map features to support this task:
- You can select branches of the site map tree and use the Target analyzer function to identify all of the dynamic URLs and parameters.
- You can use the display filter, and sortable table view, to systematically work through a complex site map and understand where different kinds of interesting content reside.
- You can annotate items with highlights and comments, to describe their purpose or identify interesting items to come back to later.
Target tool testing workflow
Having fully mapped the application and assessed its attack surface, you can drive your detailed vulnerability testing workflow from the site map:
- You can select branches and items and use the context menu to send these to other Burp tools to carry out particular tasks, such as automated vulnerability scanning using Burp Scanner, fuzzing using Burp Intruder, or manually testing using Burp Repeater.
- You can request the site map again in a different session context, and compare the site maps to help identify access control vulnerabilities.
- You can search branches of the site map for specific expressions, scripts and comments.